# https://wiki.archlinux.org/index.php/Nftables#Usage
# A simple and safe firewall
flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    iifname lo accept comment "Accept any localhost traffic"
    ct state invalid drop comment "drop invalid connections"
    ct state established,related accept comment "Accept traffic originated from us"

    # allow icmp, which is commonly used to see how long it takes packets to get somewhere
    # It helps people debug web applications
    ip protocol icmp icmp type { \
       destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem  \
    } accept comment "Accept ICMP"

    ip6 nexthdr icmpv6 drop

    # IGMP is a protocol that help online gaming and video chat work better
    ip protocol igmp accept comment "Accept IGMP"

    udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"

    udp sport 1900 udp dport >= 1024 ip saddr {  \
        10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 \
    } meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"

    # No ping floods
    ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop

    # allow ssh
    # can I disable this?  I am not going to be ssh-ing into this laptop anytime soon.
    # tcp dport ssh accept

    # reject everything else
    reject with icmpx type port-unreachable
  }

  # this is a laptop.  I do not forward stuff.
  chain forward {
    type filter hook forward priority 0; policy drop;
  }

  # I should probably work on this....I should only really enable certain outbound connections.
  chain output {
    type filter hook output priority 0; policy accept;
  }
}
